01-18-2007 09:19 AM - edited 03-11-2019 02:21 AM
I am setting up an ASA5505 for a pilot home office, defining a business vlan and a personal vlan. I have setup the dhcp scopes for both vlans, but I need to be able to only permit specific mac-addresses to receive a DHCP address from the business vlan. On a 871 router I can use the mac or "client-identifier" command. Is there a way to do this on the ASA's?
01-18-2007 03:18 PM
You can use a combination of static arp entries and arp inspection to accomplish this. You will need to statically define every host with the arp command:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a2_711.htm#wp1479532
You then need to enable arp inspection with the no-flood keyword. This will mean that all arp entries will be dropped unless they are statically configured. This will lock out all other hosts other than those that you have configured.
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a2_711.htm#wp1479789
01-18-2007 04:39 PM
Thanks that is a clever work around, however I don't think this will be a viable solution for us, as the mac addresses for the devices connecting to the personal vlan will be unknown and subject to frequent change.
To clarify, I need to setup the ASA so that:
1) It provides Business vlan DHCP assigned IP addresses only to specific static mac defined devices attached to ports in the Business vlan.
2) It provides Personal vlan DHCP assigned IP addresses to any devices attached to ports in the Personal vlan.
3) It prevents any non staic mac defined devices from obtaining a DHCP address on the business vlan.
I will read the url's you linked more closely and see what/if I am missing something.
01-19-2007 05:23 AM
I think that it will work for you because you can enable ARP inspection on a per interface basis.
01-19-2007 06:12 AM
I just had this same requirement. I ended up creating a new VPN group for the users (there were only two).
01-25-2007 05:17 PM
Unfortunately the TAC engineer I spoke with said this will nto provide the solution I am after in so far as the ASA assigned DHCP addresses to specific MAC's. I would have to statically configure each IP address on the devices that I wisht to have access to the Business LAN and subject to the static arp/arp inspection.
If you can elaborate on your solution I can share it with the TAC engineer.
In parallel I have requested our account team submit a Feature Request for this capability in future ASA code releases.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide